Nuclear Station Suffers USB Data Breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.eweekeurope.co.uk/news/nuclear-station-suffers-data-breach-from-lost-usb-stick-10731

The data breach threat posed by USB sticks has once again been exposed
after nuclear processing company Sellafield began an investigation
into the loss of a USB device, said to contain information about its
business operations.

The USB device was found in a hotel room at the Ennerdale Country
House Hotel in Cumbria by coach driver Craig Beavan.

The data was reportedly unencrypted and included details of a proposed
workforce transfer and the benefits of the staff transfer, including
lower costs and reduced liabilities. There was also information on the
stick that suggested that the International Atomic Energy Agency
technicians visiting the site were not sufficiently briefed on health
and safety regulations.

Investigation Launched

Beavan said that he found the stick on the floor of his room at the
hotel and then checked its contents on his computer to identify who it
belonged to.
“I was coming out of the bathroom and saw it on the floor, I put it in
my computer to see who it belonged to when I found the Sellafield
documents,” Beavan told the Whitehaven news. “I couldn’t believe it.
It is more what could have been on the stick that bothers me. There
might not be anything top secret on there but what if there had been?
I am concerned it was left there, anyone could have found it.”

Sellafield has said that it is investigating how the stick came to be
left in the hotel room.

“Sellafield Ltd understands there is no sensitive material on the
memory stick. However, we take this issue very seriously and are
investigating how this happened,” a spokesman was quoted as saying by
the Whitehaven news.

It is thought that Sellafield provides its staff with USB memory
sticks in order to transfer business related information. “All users
of USB memory sticks are provided with guidance on their use. We
control sensitive nuclear information in line with strict security
regulations,” the spokesman said.

Not The First Time

This is not the first time that a USB stick has caused a data breach.
In early September a memory stick said to contain anti-terror training
manuals was discovered outside a Manchester police station. In May, a
NHS worker in the secure mental health unit of a Scottish hospital was
suspended, after he lost a USB stick containing patients’ medical
records. More recently a healthcare agency (Healthcare Locums Plc) was
found to be in breach of the Data Protection Act (DPA) after it lost a
hard disc drive (HDD) that contained personal data of the doctors it
employed, such as their security clearances and visa information.

This latest loss provoked a quick reaction from data security specialists.

“While the convenience of USB sticks make them an important tool for
any business, you don’t have to be a nuclear scientist to know that
the data carried on these devices must be protected,” Sean Glynn, vice
president and chief marketing officer at Credant Technologies.

Encryption Needed

“Corporate USB sticks should always include encryption and other forms
of security as a basic requirement because - as this incident clearly
shows - unencrypted data can, and does, fall into the wrong hands,”
said Glynn.

“Sellafield has done the right thing in launching an investigation,
but this is a potentially serious breach of data security on several
levels, with national security overtones. Sellafield needs to look
very carefully at its data security policies, and the technology that
enforces those policies,” said Glynn.

Data breaches of this kind fall under the remit of the Information
Commissioner’s Office.

The ICO has previously warned businesses that if they do not own up to
data breaches, they will face tougher action than those that come
forward of their volition. Companies that fall foul of data breach
laws risk a maximum fine of £500,000 under powers granted to the ICO
in January this year.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/